Embedded dashboard security

Guys, good afternoon!

In a dashboard / question that has been embedded, your link usually placed in an iframe has a structure similar to this code snippet:

http://localhost:3000/embed/dashboard/eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.e …”.

If you can view the source code (decripting the same) of the frame, can you be able to access the Metabase server? The idea is that this server can not be accessed from embedded dashboards, this would be a security flaw.

I did two tests:

  1. Metabase [without] Authentication mode Configured: From a built-in dashboard (Not public link), I took the link and shared it with a user. The dashboard has been accessed normally.

  2. Metabase [with] configured LDAP authentication mode: The built-in dashboard (Not public link) was also accessed normally without requesting authentication.

Question: How to make Metabase request authentication when the dashboard was embedded?

1 Like

Authentication with regard to embedding depends upon your own application in which you are embedding Metabase not Metabase itself... At least that's the way I understand it. And no, embed users cannot directly access the Metabase application, they do not sign-in to Metabase at all, they sign-in to your application in which you have embedded a Metabase Question or Dashboard.

Here are some links to embed security discussions on GitHub that may interest you:
GitHub Issue #8111, #9494, GitHub Pull #7817

Some time back I inquired about adding users to Metabase programmatically with a view to having embed users sign-in to Metabase itself to use embeds so as to take advantage of Groups but quickly put it on the back burner when I realized it doesn't work that way, that's not the way Metabase handles embeds out of the box, it would take some custom coding in clj and your own application to do it:

Hi @mesquest,

And the SAML authentication mode, would it have any significance in this scenario?

And,

But my main concern is regarding the Metabase server security. I insist: From the iframe source code (where the embedded dashboard’s encrypted link will be) will it be possible for the server to suffer an attack?

Thank you,

Looking at the following I don't think SAML affects embeds even though there is a JWT alternative mentioned, and embeds do use JWT, I don't believe there's a direct relationship. As noted in this comment to #9494 embeds are somewhat secondary to the main thrust of Metabase though that could change.
https://metabase.com/docs/v0.30.4/administration-guide/16-authenticating-with-saml.html
https://metabase.com/docs/v0.30.4/administration-guide/18-authenticating-with-jwt.html

@mesquest
I think the essence of authentication via LDAP or SAML would be for Metabase to require authentication when a dashboard / question was accessed using an embedded link, except when it was a public link.

Could be, I’m not sure, perhaps @flamber or another user could chime in and verify the relationship of these authentication options to embeds and maybe where Metabase see’s embeds going.

I don’t understand the question, but the issues @mesquest links to, seems to be exactly about making embedding more secure.
But embedding should not be part of the SSO login. Otherwise I would only be to embed, if an user existed in Metabase.
If you want to provide external access to dashboards/questions, then you could use Public sharing, but having a reverse proxy that takes care of authentication.

HI @flamber and @mesquest, good morning!

Okay, I’m convincing myself of the explanations.
One more question: Could you explain what SAML authentication is and what is its purpose? I know it has to do with single sign-on, but what’s your application in Metabase? Could you exemplify?

SAML allows you to connect any SSO providers that support that standard.
https://en.wikipedia.org/wiki/Security_Assertion_Markup_Language
So instead of Metabase having to create a SSO for each provider, then they can just support SAML.

Dear @flamber

We were not able to (yet) configure SAML authentication in Metabase, where the main goal would be to use single sign-on and also the incorporation of dashboards / questions and tals. However, I have already been able to generate the dashboards and incorporate them into some web applications. Could we continue using this way, without authenticating via SAML? because the web application is already authenticated via the identity provider (idp). In Metabase, I have already been able to configure LDAP authentication from the same SAML provider.

@Lourival
I think you’re misunderstanding the difference between SSO (Google, LDAP, SAML) and Embedding tokens.
SSO is authentication for accessing Metabase. Embedding is for integrating with other applications.
If you want to use SSO, when accessing the Embedding, then you need to create that authentication process.

Uai, I created a built-in dashboard and the link (http://localhost:3000/embed/dashboard/eyJhbGciOiJIUzI1NiIsIn…) was accessed as if it were a public link, without asking for authentication.
In this regard I was really confused!

But that is a token URL, which means that you’ve create the authentication already.

Is correct!
In fact, I have very specific details of how I generated this token, could you contact me in private?

What are you exactly trying to do? Are you just trying to have public dashboards, but with a login?

Hi @flamber, good night!

In fact it’s like this:

We develop web applications. In this application, users authenticate using LDAP, which is also a SAML provider. So in Metabase, we created dashboards with application usage data, such as billing. Our goal is to incorporate these dashboards into the application using iframe. In this way, access and security to the dashboards will be controlled by the application. However, my fear is that the user will be able to access these dashboards from outside the application if he can access the dashboard link (displaying the source code of the frame). Question: Is it possible to maintain this security without using SAML authentication?

@Lourival

That’s what the Github issue links in the first comment by @mesquest is all about. Trying to increase the security of embedding, while making it more flexible.

If you set the expiration of the JWT tokens to a few seconds, then it’s only accessible for that period.

If you’re already using SAML, then you could authenticate the requests to Metabase with a reverse proxy module - like:
https://github.com/nginx-shib/nginx-http-shibboleth
https://github.com/UNINETT/mod_auth_mellon

Ok @flamber, I’ll evaluate your directions.
Thank you!

@Lourival
If you are just concerned about embed security without having to go thru SAML or other such authentication it appears theoretically possible. Basically you would set the embed’s JWT token to a few seconds and configure your application to re-submit the request when it receives a 403 error. This GitHub comment elaborates a bit more though you’d have to read the whole thread to verify the logic: